Flashback was beaten down when Apple took notice and measures, using the XProtect feature to blacklist the malware, including a Flashback remover as a security update, and quietly acquiring the Internet domains used by the botnet.

Intego says they also bought some of the domains used for C&C (command and control) for the botnet, and it is from those systems that they get the 22,000 number. Here is a screen shot of Intego's Apache server log showing attempts to contact the C&C:

source: Intego

I was confused by the "Windows NT 6.1" in the useragent string of the clients. I asked Intego and they provided this explanation:

The string (also known as the user-agent) and the referrer strings are sent directly by the FlashBack code and are not proof that machine is a Windows machine. The server compare those strings to be sure that it is a true infected mac. Even in Safari the user-agent string may be changed by the user and is not a proof of a system nor a proof of a browser. It's a given data to a web server, and for the Flashback server, certain user-agent strings are correct and tested by the Flashback server (it tests for other strings in addition elsewhere).